Skip to main content

Getting Ready for a Pen Test: Step 2

July 22, 2014

In the first blog post of our three-part pen test series, we discussed the five common ways an attacker can gain access to your corporate network that you should address immediately before bringing in a pen tester. The next critical step focuses on asset identification and network segmentation.

During this process, it’s important to take inventory of what systems are on your network and what critical information is being stored on those systems. There are a number of automated tools which can help you keep track of the systems on your network; however, in our experience there is no effective automated way to catalogue and prioritize data. This needs to be done by all of the relevant stakeholders in each of the different business units of the organization. If you don’t understand what you need to protect, how can you properly protect it? As part of this, be sure to develop a hierarchy of the information so you know what your organization considers its “crowned jewels.” What data would be most detrimental to your business if an attacker were to obtain it? Some examples include intellectual property, your clients’ personal information, or your business’ financial data. In a nutshell, you need to define what it is that your company uses to make money and protect those assets.

After you’ve identified what assets and information are actually on your network, it’s time to segment that information to make sure an attacker has limited access if they actually do break through your perimeter. Unfortunately, many organizations have no clear communication separation between endpoints at any of the locations. As pen testers, we like to call this the “castle wall effect.” This means almost any system can be accessed from anywhere else in the environment once the outside perimeter is breached, exposing the soft unsecured underbelly of the internal network. Adjacent systems can be targeted to gain deeper access in the network if controls are not in place to isolate high-risk systems. The result can mean an attacker could easily obtain access to your server environment from the user workstation network which is a high risk target for phishing attacks.

When developing a network segmentation plan, it’s important to understand how your organization does business and who should have access to what information using the principle of least privilege, which gives employees the lowest level of user rights that they can have and still do their jobs. Also, your segmentation plan should isolate the following groups using firewall ACLs at a minimum:

  • Servers
  • Corporate resources – AD, Exchange, NAS, etc.
  • Endpoints (local and remote)
  • IT segment (access to management network)
  • Management traffic
  • VoIP

Finally, be sure technical controls are put in place to prevent and detect malicious activities (AV/IDS/IPS/SEIM, etc.). Although these technologies are by no means fool proof, they can aid in detecting less advanced attacks and cut down on network noise giving you the ability to focus on detecting the more legitimate attackers that may be targeting your organization specifically. One example for a rule we always recommend is looking for a legitimate user or service account logging into multiple machines in a short amount of time. This is indicative of someone using a compromised account and rapidly harvesting passwords from a number of machines and would rarely happen in day to day operations.

 

When it comes to technical controls, we recommend that following:

  • Use outbound egress filtering with deep packet inspection. If the attacker or malware can’t phone home, it can make exfiltration of data extremely difficult.
  • Ensure a proper process and the right personnel are in place for escalation when attacks are detected. This is one of the most important things the pen tester will test.
  • Understand the business units in your organization and what resources they need to access and use that as a baseline for creating ACL’s and groups within Active Directory. Spend the extra time, money and resources to ensure devices are configured properly.
  • Beware of vendors with all in products that claim to fix all your problems. There is no such solution.

After you’ve completed the process of segmenting your network, you can move onto the third step in preparing for a pen test: understanding how to know if the test you’re getting is legit. We will discuss what you need to know in the final post in this series so you can schedule that pen test as soon as possible.

 

Related Blogs

July 17, 2014

Getting Ready for a Pen Test: Step 1

The mainstream media coverage of the recent Heartbleed Bug certainly caught the attention of people around the world. More consumers quickly discovere...

See Details

July 25, 2014

Getting Ready for a Pen Test: Step 3

In the first blog post of our three-part penetration (pen) test series, we discussed the five common ways an attacker can gain access to your corporat...

See Details

November 21, 2014

Strategy and Tactics: Penetration Testing in the Security Program

In the war of information security, the eldritch horror of knowing resides in the bowels of the vulnerability scanning report. Before, you might have ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

March 29, 2017

Attack and Penetration Services

Learn how our experts work to expose weakness to validate your security program.

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

July 25, 2017

Cloud Security Software-as-a-Service

Optiv's SaaS focused cloud security primer summarizes our research-backed, holistic approach to planning, building and running your cloud security pro...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.